Glassdoor: Site wide CSRF affecting both job seeker and Employer account on glassdoor.com

2020-02-06T18:50:54
ID H1:790061
Type hackerone
Reporter ta8ahi
Modified 2020-12-10T15:28:43

Description

Summary: I have found an issue which enables an attacker to do CSRF attacks on all actions on both job seeker and employer account on www.glassdoor.com.

Attacker is able to get a CSRF token from the server, which can be used to do CSRF attacks on any logged in victim on both types of glassdoor accounts.

Attacker can do an attack to invite a new user as admin on a victim's employer account which leads to account takeover. For job seeker account also, attacker can perform all actions on victim's account, like: adding salaries/reviews/photos , editing their profile, deleting CVs and all other possible actions.

Bug Write-Up at : Witcoat Blog Bug Write-Up at : Witcoat Blog